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About Qualys 
About this guide 


About this guide 


Welcome to Qualys Cloud Platform! This guide shows you how to use the Qualys Security 
Assessment Questionnaire to streamline your third-party and internal risk assessment 
processes and to design in-depth surveys to assess security policies and practices of third 
parties and internal staff and their compliance with industry standards, regulations, and 
internal requirements. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations, including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please 
visit www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 24 
hours a day. Access support information at www.qualys.com/support/ 


Introduction to Qualys Security Assessment Questionnaire 


Introduction to Qualys Security Assessment 
Questionnaire 


Qualys Security Assessment Questionnaire (SAQ) gives you the ability to create campaigns 
to help you send out questionnaires to any number of users and to collect their risk and 
compliance data. 


Just create templates with your risk and compliance questions and requirements. Create a 
Campaign using this template, add users and launch the campaign. That's it! We will send 
out emails to the users, and they can start responding to these questionnaires 
immediately. 


Before you start 


Only a user with a Manager role can launch and manage Campaigns in SAQ. To create 
users with a manager role, you need to set up new users using Vulnerability Management 
(VM/VMDR) and grant them access to the SAQ app. 


How do I get started? 
- Build your templates 


- Manage Users in Your Subscription 


- Create and Launch Campaigns 


Build your templates 


Create a Template 
Build your templates 


A template is where you formulate questions you want users to answer. While creating a 
template, you can add rules, set criticality to the questions, assign risk scores to the 
template, etc. You can also create copies of a template and customize it for different 
purposes and audiences. 


Create a Template 


1.Go to Templates > My Templates and select New Template. You may select one of the 
four options. For example, select ‘Blank Template. 


Templates 


70 


Total Templates 


DRAFT 12 
PUBLISHED 59 Blank Template 
From Te te XML 
NIST SP 800-58 F pl Baselines for Low-l... 
CATEGORY From Template Excel 
Last updated by YM 
GDPR 3 From Library 
INFO SECURITY 22 NIST SP 800-58 F pI Baselines for Low-l... 
IT GOV & RISK 1 Last updated by VMDR Test Questions 32 
OTHERS 23 E x | 
REGIONAL 5 NIST SP 800-53 Revision 4: Security Control Baselines for Low-l... 
Last updated by VMDR Test Questions 32 
3 more 
NIST SP 800-53 Revision 4: Security Control Baselines for Low-l... 
„JOATEN DV, mmt D nee À ns ee mag Tog ha 


Library 


Q Search... 

Total Templates uns 

70 DRAFT 11 
PUBLISHED 59 


Last 30 days 
11 


INFO SECURITY 


INFO SECURITY 


INFO SECURITY 


INFO SECURITY 


2. Provide a Template name and a description. Click OK. 


Security Assessment Questionnaire DASHBOARD CAMPAIGNS REPORTS VENDORS USERS 


ea 
DRAFT 


PUBLISHED 


Nov 4, 2020 


Nov 3, 2020 


Nov 3, 2020 


Nov 3, 2020 


a ai Tee PA =m Pa TS ee EE et OS a 


pe 
© 
K 


1-50 of 70 


PUBLISHED v-1 A 
PUBLISHED v-1 
PUBLISHED v-1 


PUBLISHED v-1 


3. On the Builder tab, add questions, create rules, specify required attachments and 


layout. 


Create a Template 
Build your templates 


Optional: You can also pick questions from Shared Assessments SIG Question Bank or 
from templates in our Library to import into your template. 


< New Template Builder Rules Settings 


Let's Get Started! 


m E 


Organize your questions Re by logically grouping Or Directly create a list of questions and 
them. 


Import pre-set Questions and Answers 


Simply pick questions from Shared Assessments SIG Question Bank 
or from templates in our library. 


4. Set criticality for your questions. 


< New Template Builder Rules Settings 


Vendor Risk Assessment E 


Question type : Yes/No Y 


Question Settings 


naii en | ___ 
jBrulearlale [none ry 


| Do you have a password policy documented? ses 


Answers: 


LOW 


[A MEDIUM 
| ~ Yes 


Fun 
O 
| Ou c 


H Question Id 


Manage Rules 
Build your templates 


5. Set nsk scores for each answer. 


Question: 
BJU = A p 
Do you have a password policy documented? 


Answers: 


No S fi 
Answer Settings 4 


Question Id 


LOW 


MEDIUM 


HIGH 


Manage Rules 


To make your questionnaire dynamic, you can configure a template to create rules to 
show or hide questions in the template. These rules are executed dynamically in the 
questionnaire for that template, depending on the answers given by the responder. 


Manage Rules 
Build your templates 


Jump To Rule: 


Builder Rules Settings @ — Publish 


NIST SP 800-53 Revision 4: Security Control Baselines for Low-Impact Inf... 


cotapse: CE 


AC-14 a A 
The organization identifies and defines user actions that can be performed on the information system... 


ump To Rule 3.1 
F <p>The organizati... ANSWER IS Select answer THEN GOTO Select Question 


Rule Name 
Jump To Rule 3.1 


IF | <p>The organization identifies and define | ANSWER IS _ Not satisfied 


| THEN Jump To | The organization designates individuals authorized to post information onto a publicly acce 


Manage Rules 
Build your templates 


Hide Rule: 


Builder Rules Settings > — Publish 


NIST SP 800-53 Revision 4: Security Control Baselines for Low-Impact Inf... 


Aw 
r2 Family: Access Control 


e2 AC-14 Permitted Actions Without Identification Or Authentication 


AC-14 a 
The organization identifies and defines user actions that can be performed on the information system... 


ide Rule 3.1 
<p>The organizati... ANSWER IS Select answer THEN HIDE Select Question 


<p>The organization identifies and define ANSWERIS | Satisfied 


THEN Hide, The organization documents and provides supporting rationale in the security plan for the i 


Cancel 


Once all questions are added, click Publish to publish the template so that it can be used 
for the campaign. 


Other options for template creation are as mentioned below: 
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Manage Rules 
Build your templates 


- From Template XML - Import a template as an XML file. Once imported, you can use our 
template editor to make updates. 


Questionnaire Template Import 


Select XML Template to import 


browse 
What's next? 
At import time we'll verify the template file data. Once imported you can edit the template and use it to launch 
new campaigns. 


Cancel 


- From Template EXCEL - Import template as an Excel (.xls or .xlsx) file. Once imported, 
you can use our template editor to make updates. Make sure you provide the template 
details in the same format in the sample template. You can download the sample 
template from the window that will open once you select this option. 


Questionnaire Template Import 
Import your template in a .xls or .xlsx file format. Once imported you can edit the template in the editor and use it 


to launch new campaigns. 


6 Download the sample template file to understand the expected format of information in the .xls/.xlsx 
file. Make sure the template details are provided in the same format as the sample file. 


browse 


Cancel 


Ll 


Manage Rules 
Build your templates 


-From Library: You can directly import out-of-box templates from Qualys template library 
and edit them as per your requirement. 


| | 
Add Template From Library 


Template 

NIST Special Publication 800-53 Revision 4 - Self Assessment Questionnaire (Family: Configuration … . 
HITRUST Common Security Framework (CSF) Version 6.0 

Payment Card Industry (PCI) Data Security Standard - Self-Assessment Questionnaire D and Attestat... 
COSO Enterprise Risk Management Framework 


NIST SP 800-53 Revision 4: Security Control Baselines for High-lmpact Information Systems - Priorit... 


NIST SP 800-53 Revision 4: Security Control Baselines for High-lmpact Information Systems - Priorit... 


NIST Cyber Security Framework (CSF)v.1 


If you are creating a template from blank, you can start by organizing your questionnaire 
into sections, subsections, and questions or you can add sections to a template imported 
from XML or library. 
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Create a user with a Manager role 
Manage Users in Your Subscription 


Manage Users in Your Subscription 


As a Campaign owner, you can invite people to your campaign, e.g., employees, partners, 
vendors, or subject matter experts. These users can be in your subscription, outside of 
your subscription, from your organization, or external to your organization. 


Create a user with a Manager role 


To create a user with a Manager role, you need to set up new users using VM/VMDR 
module and grant them access to the SAQ app. Only a user with a Manager role can 
launch and manage Campaigns in SAQ. Know more. 


To add a user 


Go to Secure Assessment Questionnaire > Users tab and click Add User. 


Security Assessment Questionnaire v Help w VMDR Test w Log out | 


Dashboard Campaigns Reports Templates Vendors 


Saved Searches + 7 
Search for users by entering properties 


Add User | | Import Users 1-80f8 T tev 


Provide all the required information about the user and click Add User. This user is now 
added to your subscription and is listed on the Users tab. 


| Create New User x | 


| | 


Enter New User Information _ Y 

Add a new user by entering information below. This will lead to a license being used. How does a license work? 

User License Total purchased: 1000, Currently used: 4 

First Name” Steve 

Last Name” Smith 

Company” Qualys 

Title General Manager (Marketing) 

Email* ssmith@qualys.com 

Tags 
Tags applied to user Select | Create | Remove All 
| California Resources 


Well send the user a registration email with a secure link to the SAQ module 


Cancel | Add User 
fae VNS 


Use CSV to add multiple users 
Manage Users in Your Subscription 


Use CSV to add multiple users 


You can add multiple users by importing a CSV file. The file should contain the new users' 
first name, last name, company, and email addresses separated by semi-colons. Click 
Choose File or drag and drop the CSV file to import it. 


Questionnaire User Import x 
Select User CSV File to import 


"L 


| Choose File | 


What's next? 
Make sure that your fields are separated by semi-colons. 
Atimport time we'll verify the user information and add itto the list of users to be invited. 


Cancel 


Add users outside of your subscription 


You might want to send questionnaires to users who do not already have access to the 
SAQ app. Follow the same process to add this user. After a user is assigned to an active 
campaign, the user receives an email invitation to log in to the SAQ app and respond to 
their assigned questionnaire. 


Delete a user 


You can delete a user from SAQ if that user is not assigned to an active campaign. To 
delete a user, navigate to the Users tab and choose Delete User from the Quick Actions 
menu. To delete multiple users in one go, select users in the list and choose Delete User 
from the Actions menu above the list. 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


Create and Launch Campaigns 


Create campaigns to send out questionnaires to the intended recipients. To collect 
the risk and compliance data, you must create and launch campaigns. You can create 
a campaign from any of the following tabs: 

- CAMPAIGNS 

- TEMPLATES 

- VENDORS 


What you'll need 
- SAQ must be enabled for your subscription. Contact your Technical Account Manager 
or Support to get this feature. 


- User must be assigned ‘Manager or Unit Manager’ and ‘Questionnaire Manager roles. 


Create a campaign from the CAMPAIGNS tab 
Go to the CAMPAIGNS tab and click New Campaign. 


Security Assessment Questionnaire DASHBOARD REPORTS TEMPLATES VENDORS USERS 


be 
© 
< 


Campaigns 


Q Search... 


) 3 CAMPAIGN STATUS 


Total Campaigns 2 es os =? DUE DATE TIMELINE SE 
i 10 Overdue 4 
Due Within 7 Days 6 
STATUS New Campaign 1-23 of 23 
ACTIVE 10 a 
| INACTIVE 7 


Give a name to your campaign. 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


Choose a questionnaire template from the Template Library. 


< Create Campaign 


2 


3 


4 


STEPS 1/6 


(1) Campaign Details 


Workflows 
Recipients 
Schedule 
Notifications 


Review and Confirm 


Campaign Details 


Your Campaign will help you organize questionnaires, target multiple individuals 
and track overall progress. 


CAMPAIGN NAME * 


New York State Department of Financial Services 


CHOOSE TEMPLATE: Change Template 


New York State Department of Financial Services - 23 NYCRR 500 


This Self Assessment Questionnaire (SAQ) template is PS on Cybersecurity 
Requirements for Financial Services Companies (23 NYCRR 500). The security control 
statements in this questionnaire are solely from New York State DFS (Department of 
Financial Services) regulation designed to promote the protection of customer information... 


Created by: SYSTEM USER No. of Questions : 115 Version : 1 


Choose a workflow as per requirement. 


Depending on the workflow you choose, the questionnaire answered by the responder is 


sent for review and approval. 


- Simple (2-stage) workflow sends the questionnaire to the user for information gathering. 


- Reviewable (3-stage) workflow sends the answered questionnaire to a reviewer for review. 
You can also add separate reviewers per section or subsection. 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


- Full (4-stage) workflow sends the answered questionnaire to a reviewer and an approver. 


< Create Campaign 


STEPS 2/6 


Campaign Details 
Workflows 


3 Recipients 
4 Schedule 
5 Notifications 


6 Review and Confirm 


Workflows 


A workflow refers to tasks and procedural steps that the people involved need to 
do for each step in questionnaire process. Select from the defined workflows 
below. 


| Simple (2-Stage) © Reviewable (3-Stage) Full (4-Stage) 


Stages : Information Gathering > Review > Close 


Select Workflow Users 
ADD REVIEWER * 


ssmith@qualys.com 


+ Add Section or Subsection Reviewer 


Add recipients to whom you want to send the questionnaire. You can invite any number of 
users to complete your questionnaire. The recipients may include employees, partners, 


vendors, and subject matter experts. 
Users can be: 

- In your subscription 

- Outside of your subscription 

- From your organization 


- External to your organization 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


In case you have users who have already answered this questionnaire 1n the past, then 
you can send the previously answered questionnaire. This questionnaire will be pre-filled 
with all the responses they answered previously. 


chui Add Recipients 
Campaign Details tar a ee 
Workflows 


Recipients 


Take me to Recipients List 


Schedule your campaign. 


You can choose to run a campaign on-demand or schedule it and run it automatically ona 
particular date and time. 


To schedule a campaign to run only once, keep the Recurring Job check box clear. 
Provide the start date, time, and due date for your campaign. 


To run your scheduled campaign periodically, select the Recurring Job check box. 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


As a recurring job, choose the options for the recurrence pattern. Set the due date for your 
campaign and the end date for your recurrence schedule. Set the day on which you want 

to notify the campaign manager about the initialization of a campaign. You can also view 
the next scheduled date, which is calculated based on the recurrence options that you set. 


€ Create Campaign 


STEPS 4/6 


Campaign Details i 
mpaign Detai Schedule Campaign 
à Wakin Set up your campaign to run on demand or schedule it for later 


Recipients 
On Demand 
o Schedule 
Start Time 


5 Notifications 
1511-2020 


6 Review and Confirm 


Day of the Month Day of the Week 
Week Day Start Time 
E | | MONDAY ~ | [i 1:00am 


31-05-2021 


View next schedule date 


Dec 14, 2090 11:00:00 AM 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


Set notifications and reminders for your campaign. 
< Create Campaign 


STEPS 5/6 


ons Notifications 
Workflows Set notifications and reminders for your campaign. 
Recipients 

Schade Reminder Notifications 


Notifications Specify when to send notifications once the campaign is launched. 
6 Review and Confirm Due Date Notifications 
Specify when to send notifications if the campaign is nearing due date. 


Overdue Notifications 


Specify when to stop sending notifications after the due date. 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


Review the campaign summary and click Create & Launch. 


< Create Campaign 


STEPS 6/6 
e A 
Review and Confirm 
Campaign Details Please review the information for your campaign below 
Workflows 
Campaign Details 
Recipients 
Campaign Name: New York State Department of Financial Services 
Schedule 
Notifications Due Date: 12-11-2020 


ne re Campaign Template: New York State Department of Financial Services - 23 


NYCRR 500 


Workflow 


Type of Workflow: 3 STAGE - REVIEWABLE 


Reviewer: Steve Smith 
ssmith@qualys.com 


Recipients 


Recipients: 1 View All 


Create Create & Launch 
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Create a campaign from the CAMPAIGNS tab 
Create and Launch Campaigns 


Review your campaign notification. Click Edit to customize the notification. 


Send Campaign 


Send the below mail to all the involved invitees in the campaign. An individual 
invitation to the participant will be generated for each recipient. 


SUBJECT * 


New York State Department of Financial Services 


Invitation to respond to a campaign 
SAQ} Security Assessment 
Questionnaire 


Dear {assigneeName}, 
A Questionnaire, entitled {title}, has been assigned to you by 


{creatorName} from {company} and needs to be completed by 
{dueDate}. Please click on the link below to start questionnaire. 


© Tin {utinLink} and {cdntia} a mandaty. 
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Create a campaign from the TEMPLATES tab 
Create and Launch Campaigns 


Create a campaign from the TEMPLATES tab 


1. Go to the TEMPLATES tab and select a template from the My Templates tab or the 
Library tab. Only published templates can be used to launch campaigns. 


2. Open the Quick Actions menu, and click Start a campaign using this template. 
Alternatively, you can find the Start a campaign using this template option on the Actions 
menu. 


Security Assessment Questionnaire DASHBOARD CAMPAIGNS REPORTS TEMPLATES VENDORS USERS E (?] M 
Templates TACU AC Library 
Q Search... 
1 sto) - Actions (1) v 1-50 of 188 
Total Templates 

Australian Government Information Security Manual (ISM), 2015 -... REGIONAL Jun 19, 2016 A 
Questions 17 

CATEGORY 

CYBERSECURITY 1 Australian Government Information Security Manual (ISM), 2015 -... OTHERS Mar 15, 2018 

CYBERSECURITY 1 Questions 17 

DATA PROTECTI... 11 : i : 
Australian Government Information Security Manual (ISM), 2015 -... REGIONAL Jun 19, 2016 

ae s Questions 121 

ENERGY 1 

21 more Australian Government Information ^ Ąą M-n nenn nanan OTHERS Mar 15, 2018 
Questions 121 Quick Actions Vv 
Australian Government Information view Template REGIONAL Jun 19, 2016 
Questions 116 
Add to My Templates 
Australian Government Information OTHERS Mar 15, 2018 
Questions 116 Download 
x F Start a campaign using this template 

Australian Government Informatio REGIONAL Jun 19, 2016 
Questions 638 
Australian Government Information Security Manual (ISM), 2015 -... OTHERS Mar 15, 2018 
Questions 638 
Australian Government Information Security Manual (ISM), 2015 -... REGIONAL Jun 19, 2016 
Questions 26 
Australian Government Information Security Manual (ISM), 2015 -... OTHERS Mar 15, 2018 v 


On the Create Campaign page, the questionnaire template is selected already. You 
can change the template if you want. All the remaining workflow for creating a campaign 


is as described in the Create a campaign from the CAMPAIGNS tab section. 
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Create a campaign from the VENDORS tab 


Create a campaign from the VENDORS tab 


Create and Launch Campaigns 


1. On the VENDORS page, select the vendors for whom you want to create and launch an 
assessment campaign. To create a campaign for a single vendor, open the Quick Actions 
menu, and click Start a campaign. Alternatively, you can find the Start a campaign option 


on the Actions menu. 


To create a single campaign for multiple vendors, click Actions > Start a campaign. 


Vendors 


TYPE 
CONTRACTUAL 
PROPOSED 


HIGH 
LOW 


STATUS 


ACTIVE 


9 


Total Vendors 


CRITICALITY 


MEDIUM 


| INACTIVE 


Security Assessment Questionnaire 


Q Search... 


DASHBOARD 


Delete 


Phoenix Co... 
Type: Proposed 


ew Texas ... 
Start a cam oe ype: Proposed 
Im 
Active 


Multiline S... 
Type: Contractu 


Ambitious ... 
Type: Contractu 


Elixir Enter... 
Type: Contractu 


CAMPAIGNS 


REPORTS 


USERS 20x 


1-50f5 


Nov 05 , 2020 


Nov 05 , 2020 


Nov 05 , 2020 


Nov 05, 2020 


Nov 05, 2020 


On the Create Campaign page, on the Recipients tab, the users that you choose as single 
points of contact (SPOC) during vendor onboarding are displayed in the list of potential 
recipients for your campaign automatically. You can select these SPOCs as the intended 
recipients. This saves you the effort of manually adding users to the list of recipients. If 
you want to invite users other than SPOCs or if a SPOC is not assigned for a selected 
vendor, you can manually add the intended recipients. 


All the remaining workflow for creating a campaign is as described in the Create a 
campaign from the CAMPAIGNS tab section. 
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Monitor Responses 


Monitor Responses 


You can monitor responses to your campaigns in real-time. 


1. Go to the Campaigns tab and click the campaign name of which you want to check the 
status. 


2. Select a questionnaire, open the Quick Actions menu and choose options to view 
questions, summary etc. Click View Questions. 


< Campaign: CBR 2021 Readiness Assessment 


Q Search... 


1 CAMPAIGN SUMMARY QUESTIONNAIRE STATUS 
Template: Third Party Maturity Assessment ... © Not started: 0 E In Progress: 1 
Total Questionnaire 1 6 Workflow: 2 Stage a s 
: Pending Review- 0 @ Pending Approval: 0 
= Reviewer: - M Closed: 0 Canceled (no respons_ 
To End 
Approver: - V2 
TIMEFRAME Actions (1) v | 1-1of1 
Due within 2 wee... 0 
Idle (No answers ... 0 QUESTIONNAIRE RESPONDER URRENTLY WITH STATUS TAGS RISK RATING 
Overdue 0 
CBR 2021 Readi! . Steve Smith Steve Smith In Progress 
Quick Actions V 6 / 90 Questions 
STATE 
Not started 0 View Summary 
In Progress 1 
Pending Approval 0 Reassi x 
Closed 0 
Dos Rename 
Delete 
RISK 


3. To filter the questions, click the filter buttons above the questions to display All, 
Incomplete or Delegated questions. 


<— CBR 2021 Readiness Assessment - Steve Smith Save & Exit Submit 


Third Party Maturity Assessment for Information Security 
Management 


o CE 
01 Security Policy (SP) 


[© 01 Security Policy (SP) 


© 


02 Security Organization. Se té 


Is there a Security Policy defined at the Corporate level? 


© | No 
03 Asset Management (... 


© Yes 
D A a cee ee ee DE TT ee Poat 
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Monitor Responses 


4. Approve or reject each answer individually or all answers at once. 


Documentation of Business Processes 


Are your business processes documented? 


If the questionnaire's workflow includes a review stage, it is not complete until the 
reviewer or a delegated user reviews all questions. You can see Approve and Reject 
buttons in the question palette as you click each question. Once you have marked all 
questions as either approved or rejected, you can submit the questionnaire. 


If you have rejected one or more answers, the questionnaire will be returned to the 
responding user. This user will have to correct the rejected answers and resubmit the 
questionnaire. If you've approved all questions, the questionnaire goes into its next state 
according to its workflow - either closed or approved. 


5. If the workflow includes an approval stage, the questionnaire remains active and needs 
to be approved to be closed. Choose View Questions from the quick action menu, click the 
right side of the Approve button (arrow) and choose either Approve or Reject. 


< STWR Compatibility Awareness Program - Steve Smith @ Save & Exit Reject Approve 
ibili “~ 
Tn ae te SWTR Awareness Program Questionnaire 


| 
_Docurmentetion of Burin... PE TE a Oa ES aie | 


- 
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Create Reports 


Create Reports 


You can launch reports anytime to get the latest responses submitted by users. You can 
preview and edit the report results before generating the final report. 


Go to Reports > New Report, choose your report, and walk you through the steps. 


Security Assessment Questionnaire v Help w VMDR Test w Log out 


Dashboard Campaigns Templates Vendors Users 


hili Reports Reports 


Saved Searches + 


Search for reports by entering properties 
1 - 20 of 144 | Dla tev 


User Type Created Status Format 


Single Instance Report 


This is a report on one instance of a questionnaire. An instance is specific to one assigned 
user. For example, if you launched a campaign and invited 6 users, choose 1 of 6 instances 
for your report. (You need to be the campaign/questionnaire owner to create this report) 


Aggregate Template Report 


Report on multiple questionnaires launched from one template. You can choose a 
template and, optionally, apply filters. All questionnaires launched using the template are 
included if no filters are applied. (You need to be the campaign/questionnaire owner to 
create this report) 
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Create Reports 


Campaign Report 
Report on a single campaign. (You need to be the campaign owner to create this report) 


| Questionnaire Report Creation Tum help tips: On| OF X% 


Step 1 of 2 Define the type of report to create 


@ Repor Type Select Report Type 


Choose a report type, then click Continue to define the report target. 
2 Target 
Report type* 


Campaign Report Be 
Single Instance Report 
; Aggregate Templates Report 
| Campaign Report 


Tmar ICONE OT COMENT 


Dec 25, 2013 

ares 

Es es 
A i 


Continue 
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Vendor Onboarding 


Vendor Onboarding 


Qualys Security Assessment Questionnaire (SAQ) gives you the ability to onboard new 
vendors, keep track of the existing ones, keep a record of their areas of business, and gain 
accurate visibility into your vendors’ records and related areas. 


To onboard a new vendor and to send out vendor assessments, do the following: 


Security Assessment Questionnaire DASHBOARD CAMPAIGNS REPORTS TEMPLATES USERS { 


Vendors 


10 


Total Vendors 


PU ee ee ee a a CATEGORY BUGA pot mt SK RATING, om a Rte AGS 


{ 
d 
4 
{ý 
+ 
4 
į 


1. Create users or identify the existing users for your vendor. Simply navigate to the USERS 
> Users tab to create new users. For more information, refer Manage Users in Your 
Subscription. 


2. Create a Vendor by navigating to the VENDORS tab. For more information, refer Manage 
Vendors. 


3. Create a campaign and add the user associated with that vendor to the campaign to 
initiate vendor assessment. For more information, refer Create a campaign from the 
VENDORS tab. 
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Vendor Onboarding 


Once your vendor is added, you can send out campaigns for the assessment areas 
applicable to the vendors and assess them against those specific areas. While creating a 
Campaign, pick a Vendor template from the Template Library to quickly create a 


questionnaire. 


< Template Library 


FILTERS 

ALL CATEGORIES 

INFO SECURITY 

GDPR 

OTHER 

PCI 

DATA PROTECTION, PCI, ... 
REGIONAL 


HEALTHCARE 

IT GOV & RISK 

ENERGY 

FINANCE 

REGIONAL, FINANCE 
CYBERSECURITY 

IT GOV & RISK, FINANCE 
IT GOV & RISK, HEALTHC... 
REGIONAL, INFO SECURI... 
REGIONAL, PRIVACY, DA... 
VENDOR, VENDOR 


106 


eee aes ni. NO ONU ON a 0 


All Categories | 


Create New Template 


Third Party Maturity Assessment for Information Security Management 


This template enables Agencies to assess the maturity of vendors’ Information system security management processes. This helps in 
profiling the vendors. 


Created by: SYSTEM USER No. of Questions: 90 Version: 1 

Preliminary Vendor Security Assessment (Information Gathering) for Hosting Service Provider 

This template helps organizations perform preliminary assessment of the vendors which host the organization's data in their 
environment. 

Created by: SYSTEM USER No. of Questions: 30 Version: 1 

Third Party Maturity Assessment for Information Security Management 

This template enables Agencies to assess the maturity of vendors’ Information system security management processes. This helps in 
profiling the vendors. 

Created by: SYSTEM USER No. of Questions: 90 Version: 1 


Vendor Risk Assessment 


Vendor Risk Assessment Questionnaire template provides a standard approach to all High Risk Vendors 


Cancel 
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Manage Vendors 


Create a Vendor 


You can create Vendor profiles with the required information, such as contact details 
(SPOC), address, service provided and so on, including the ability to upload contractual 
files. 


To onboard a vendor, do the following: 

- Provide basic vendor information like company details, category of service provided, 
etc. Specify whether the vendor is contractual or still in the proposed state (RFP) and 
upload relevant contract documents. 

- In Assessment Configuration, identify the assessment areas that are relevant to 
services provided by your vendor. You can also add tags to better organize vendors 

in your organization. 

- Identify a Point of Contact for your vendor, associated users and internal contact. 

- Define vendor criticality manually or by using our internal campaign template to 
help you auto-calculate the criticality. 


Once created, this vendor is added to the vendors list on the VENDORS tab. You can View, 
Edit, or Delete users using the Quick Actions menu. 


1. Go to the VENDORS tab, and select Add New. 
2. Provide a name, details about the vendor company, select service category, etc. 


3. Select Vendor Type. If your vendor has sent an RFP and is not yet under contract, then 
select Proposed (RFP). By default, all vendors created as Contractual are marked Active. 
You can change the Vendor Status when you edit an existing vendor. 


of 
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4. Add supporting documents for the vendor contracts, as required. 


< Add Vendor 


Vendor Details 


STEPS 1/5 
@ Vendor Details Basic Information 
2 Assessment Configuration sisi i 7 
| Tetra Tech | 


3 Point Of Contact 


a Vendor Criticality Parent Company 


5 Summary | 


Website 


Service Category * 


[a | EEJ 
Software @ 
Administrative Support © 


Service Description 


This is a software service company managing licenses. 


Vendor Type 


© Contractual ~ Proposed (RFP) 


5. Depending on the services associated with the vendor, choose the assessment areas. 


6. By default, all available areas are selected. Remove the areas that are not applicable to 
this vendor. 


32 


Manage Vendors 
Vendor Onboarding 


7. Assign tags to organize and track vendors in your account effectively. These tags can 
also be used in reports for analysis of completed campaigns. 


Assessment Configuration 


Identify assessment areas that are relevant to services provided by your vendor. By default all 
available areas are selected. Remove the areas that are not applicable for this vendor. 


Select Assessment Areas 


Operations Management 
Application Security 
Compliance 


Server Security 


Tags 


Use tags to effectively organize and track vendors in your account. These tags can also be used in 
reports for analysis of completed campaigns. 


Select Taga 


D1113 = static soans 1 x 


Identify a single point of contact (SPOC) in the vendor company for further 
communication. Usually, this user will have more information about the vendor and the 
vendor services. 
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You can choose to use an existing user or create a new user. 


Point Of Contact 


Vendor Contact 


Identify and provide information about the single point of contact (SPOC) in the vendor company for further 
communication. 


® New User Existing User 


Create a new user as a SPOC for this vendor. This user will be saved as an internal user 
with details associated to this Vendor. 


First Name * Last Name * 
John Doe 
Email * 


john.doe@tetratech.com 


Contact Number 


Company Name 


Designation 


Associate Manager 


8. You can map the existing users that were already associated with this vendor. The user 
identified as vendor SPOC is by default added as an associated user. 
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9. You can choose to auto-generate vendor criticality. We will send a template (default 
internal template or library template or custom template) selected by the user to the 
internal contact user who by responding to the questionnaire will auto-calculate vendor 


criticality. 
<— Add Vendor 


STEPS 4/5 


Vendor Details 
Assessment Configuration 
Point Of Contact 

Vendor Criticality 


5 Summary 


Vendor Criticality 


@ Auto-generate _) Customize 


To help auto calculate vendor criticality, send a campaign to the internal contact. This 
value can be manually changed later, if required. 


DUE DATE * 
25-03-2022 


Change Template 


Internal_Assessment_Template_VRM 


This is a default template selected for all internal criticality evaluation campaigns. 


No. of questions: 8 


Internal Contact 


Identify a contact who will be a single point of contact for this vendor. This user should have 
detailed information about the vendor and the vendor services. 


Select User * 


Cancel Previous 


Else, you can choose to set the criticality manually. Choose the Customize option and from 
the Criticality list select a value most relevant to this vendor. 


10. Review all that you selected and save your vendor details. 
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Edit a Vendor 


You can edit a vendor to update or change information such as contract documents, 
vendor status, SPOC, internal contact, etc. For example, while creating a vendor you had 
set the Vendor Type as Proposed (RFP) so the vendor status was set to inactive by default. 
Once the vendor is confirmed as a contractual vendor you can edit the vendor to change 
Type to Contractual and Status to Active. 


Simply navigate to the VENDORS tab and choose the vendor you wish to edit. From the 
Quick Actions menu select Edit and make the required changes to the vendor. 


2 n 


H | 

TEMPLATES Vendor Details 
Vendor Details Basic Information 
Assessment Configuration Name * 
Point Of Contact Tetra Tech 
Vendor Criticality 

Parent Company 
Summary 

Website 

Service Category * 

Software 


Administrative Support 
Service Description 


This is a software service company managing licenses. 


Vendor Type 


$ 
Contractual Proposed (RFP) 
Vendor Status 
Active Inactive 


TT nt eee > P Ur els PO i i ee l PRES LO ds m 


See Vendor Onboarding. 
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